Am trying to build secure login for my small app so i decided to use JWT approach by using JWT firebase library for lumen,
i discover i cant revoke my token except some dynamic data like session. And Lumen has stop shipping with session package since lumen 5.2,
i know there might be a reason why they stop supporting session .
And i have Tymon JWT package but it does not work well with lumen 5.6.
That why i use Firebase JWT-PHP as alternative
I will like to know alternative for session with strong example or any idea of best JWT login with revoke of token on logout
If you want to use sessions, the method in this comment seemed to do the trick, though I haven't torture-tested it all that much (I just discovered it a couple days ago myself), so YMMV:
https://stackoverflow.com/a/47055083/1246105
In short, you can just ala-carte install the session-handling from Laravel.
Related
I am working on a react native application for a website which is made in Laravel so all of its APIs are based on Laravel.
I am facing a problem of CSRF token when making POST request to the Laravel Backend. Every Time I am getting a response of Page is Expired.
I have done some research on the issue and found that CSRF tokens are generated by Laravel by default for security purposes. My question is how can I connect to Laravel API.
One solution which was suggested is to use JWT tokens but that's really not a feasible solution for me and I am not sure how to implement JWT Authentication in Laravel.
Another Solution which I have read is that whenever we visit a page made using Laravel then in window object window.csrfToken can be accessed which is the token I need for making the API calls. Is it true? and if it is then how can I get that in React Native Application (should I make a GET request for the website and try to get the token from there is it possible?)
One more solution I think is that we can bypass some routes in Laravel Middleware so that token is not checked.
I need some suggestions on the issue. Also need to know that above solutions are correct or not and which one should I use.
Thanks
I'm currently using Laravel 5.6 with the Laravel JWT library for a new web app.
I would like to store the JWT in a cookie without using a conventional session but there doesn't seem to be an easy way of going about this with the JWT library.
In my Auth controller I return the token in a cookie, but Laravel still starts a session which I don't want since I want the session inferred from the cookie.
I also went into Kernel.php and removed some of the Session stuff from the web middleware group but then that caused a runtime exception saying "Session store not set on request."
I've seen some hacked together solutions that were half implemented, but I would like hear some insight from anyone that has done this elegantly or felt like their solution was correct.
Thanks
For my purpose I determined that using encrypted cookies will suffice for the web application (using Redis as a cache), and then using JWTs for the mobile API.
Our challenge is below for our latest project. With the advent of the Laravel Passport API we thought of giving it a try instead of using the old https://mattstauffer.co/blog/introducing-laravel-passport that I guess everybody was using prior to larval 5.3.
So our challenge is how to implement Laravel Passport for our mobile apps since we need to register users through an API instead of the VUE login element provided in latest laravel.
Any help will be mush appreciated.
Laravel Passport API as if now doesn't support creating the user credentials other than using their VUE view component . So there is no way you can do that. So if that is very important for your business/project then I would advise sticking to Javascript for creating access/api tokens instead using standard Laravel Passport oAuth implementation.
The ideal diagnosis for such issue is to implement your own logic of handling creating tokens and oAuth user in respective tables in Laravel.
Laravel provides routing for applications in general with their user login/register method.
However; My application is not able to take advantage of the CSRF token and sessions as it's View is powered by Phonegap so i'm forced to use another method of Authentication to ensure all requests from the Phonegap app to the Laravel Routes/Controllers are secure.
Is Laravel passport suitable for this or is OAuth2 used for something different? I just need a bit of guidance as i'm quite new to this method of authentication.
Laravel Passport or oAuth2 for that matter is used to authentic clients (mobile apps or web apps like in your case) to securely use APIs to access data.
So yes Laravel Passport is used to authenticate clients but the way you can use it in your project entirely depends on your exact requirements because if you are just planning to submit forms then you can still do it without using csrf tokens or latsbrl passport or oAuth2 but if you want to build a secure way of allowing tour clients/users to submit and channel data to your backend then yes you should use Laravel Passport.
Laravel 5.3 has a slight challenge interms of implementing laravel passport for APIs and to help you with that i have already written a detailed setup and usage write up here Laravel's 5.3 passport and api routes.
Let me know if you need any help as I have been using oAuth2 and laravel passport recently in almost all of my projects.
Since the last version (5.2), cookies are disabled in Lumen. I'm currently making an API in Lumen with JWT authentication.
To secure my application from CSRF attacks I need to set a csrf cookie. But what is the best way to handle that now?
VerifyCsrfToken Middleware was removed in this commit.
From Lumen 5.2 documentation:
Lumen 5.2 represents a more decided shift towards focusing on stateless APIs.
So, if you need Csrf Token verification, you have to implement it storing it in a meta tag or inside a JWT payload as a private claim (you will need to implement the new claim, i.e.: here).
If it was removed, there's probably a good reason. Here I let some links that maybe can help you move on.
CSRF Token necessary when using Stateless(= Sessionless) Authentication?
Where to store JWT in browser? How to protect against CSRF?
https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage#post-2748616172